ASP , FORMS and Security

Results 1 to 2 of 2

Thread: ASP , FORMS and Security

  1. #1
    Join Date
    Dec 1969

    Default ASP , FORMS and Security

    First page: Form takes Userid/pwd<BR>Second page: ASP authenticates userid/pwd and then displays data based on userid. User clicks on a link and goes to third page.<BR>Third page: Get appropriate data from back-end and display.<BR><BR>Question: How can I keep a hacker from viewing source on the second page and submitting his own form. One scenario is that a valid user can view source on the second page. He can change the userid and submit his own form to the third page, thus viewing data for another user!<BR><BR>How can I prevent this without cookies or sessions? Is it even possible?<BR><BR>Thanks,<BR>Vinay<BR>

  2. #2
    Mark Guest

    Default RE: ASP , FORMS and Security

    Although you could use cookies, I suggest that you don&#039t. Data contained in cookies are not encrypted.<BR><BR>I suggest you use Session variables.<BR><BR>One other option is to authenticate the web user (client) using either Basic Authentication or NT Challeng/Response Authentication. Once authenticated, the web user (client) would have access to view any page on the web server that NTFS allows him to view. Only those NT Accounts that have permission to READ web files, per NTFS, would be able to view the files. Others without NTFS permission to READ the file, would get ACCESS DENIED. This of course requires that you uncheck any Anonymous Authentication method, or at least make sure that the default IIS User Account (usually IUSR_machinaname) does not have READ privileges on the sensitive files.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts